Let’s Encrypt защищаем корпоративный Exchange 2016 трехмесячными сертификатами
Вот такой конфиг полностью работает с 2016 Exchange причем позволяет переключить текущую конфигурацию незаметно для директорских Iphone и Ipad без запросов на смену сертификата:
server {
listen 80;
server_name mail.company.com autodiscover.company.com;
root /var/www/html;
location ~ /.well-known { allow all; }
return 301 https://$host$request_uri;
}
server {
tcp_nodelay on;
#keepalive_timeout 3h;
#proxy_read_timeout 3h;
listen 443;
#listen [::]:443 ipv6only=on;
ssl on;
ssl_certificate /etc/letsencrypt/live/mail.company.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.company.com/privkey.pem;
ssl_session_timeout 5m;
server_name mail.company.com;
location / {
return 301 https://mail.company.com/owa;
}
proxy_http_version 1.1;
proxy_read_timeout 360;
proxy_pass_header Date;
proxy_pass_header Server;
proxy_pass_header Authorization;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_request_headers on;
#more_set_input_headers 'Authorization: $http_authorization';
proxy_set_header Accept-Encoding "";
#more_set_headers -s 401 'WWW-Authenticate: Basic realm="http://10.0.0.2"';
# proxy_request_buffering off;
proxy_buffering off;
proxy_set_header Connection "Keep-Alive";
location ~ /.well-known { allow all; }
location ~* ^/owa { proxy_pass https://10.0.0.2; }
location ~* ^/Microsoft-Server-ActiveSync { proxy_pass https://10.0.0.2; }
location ~* ^/ecp { proxy_pass https://10.0.0.2; }
location ~* ^/rpc { proxy_pass https://10.0.0.2; }
#location ~* ^/mailarchiver { proxy_pass https://mailarchiver.local; }
error_log /var/log/nginx/owa-ssl-company-error.log;
access_log /var/log/nginx/owa-ssl-company-access.log;
}